Security accountability is long overdue, says John Pescatore. When a series of worms hit in 2001 and paralyzed businesses, IT staff threw up their hands and blamed vendors. “Five years ago, nobody was responsible and nobody had authority,” Pescatore says. “The business side of the organization has learned to live with accountability and is able to talk about revenues and returns,” Pescatore says. IT managers and security managers aren’t the ones setting corporate policies, yet they’re responsible for enforcing the policies and ensuring security, he says. All in a day’s work IT executives say their jobs are now on the line if an IT event compromises security or impedes business performance.
Greater accountability is a natural consequence of IT becoming more central to business operations, says Chris Majauckas, computer technology manager for Metrocorp Publications in Boston. “Upper management is aware that it is impossible to foresee every possible negative event, but they do expect those events to be handled promptly and properly,” he says. “The days of upper executives that aren’t IT-aware are gone,” adds Bruce Meyer, senior network engineer at ProMedica Health System in Toledo, Ohio. The negative publicity surrounding the recent breaches has forced all IT departments “to examine how the events happened and discuss with the executive level what our exposure to the same incident would be,” says Cory Elliott, IT director at Basic Energy Services in Midland, Texas.
The Health Insurance Portability and Accountability Act (HIPAA) and the Sarbanes-Oxley Act (SOX) were designed to protect patient privacy and improve financial reporting, respectively. The burden of providing that falls to IT – which can become a scapegoat if efforts come up short. “Oversights, either deliberate or inadvertent, now become part of reports to audit committees and boards, who have obligations to show due diligence in responding to compromised situations,” he says. “This may produce more pressure and require dismissals that would not necessarily occur in private companies.” Dismissing or shuffling IT staff is often a signal to the public that punitive and preventive measures have been taken, Donnelly says.
The company’s IT department is spending more time and money on security investments such as intrusion-prevention systems, firewall, security appliances and antivirus software. “If you have a regulatory stick, use it,” Pescatore says. While greater IT accountability is a good thing, it has to come with authority, Pescatore says.
Ground your assertions in reason: “It has to be about more than just fear.”
http://www.networkworld.com/news/2006/082806-security-risk.html?WT.svl=bestoftheweb1